Apple Firewall Issues

jesselvella

Just a heads up that it looks like Apple may be using a different service now to load the App Store. I ran into the issue today where the App Store was blocked for all of our students' iPads. I ran a trace on the HTTPS traffic coming from the device when it said it couldn't connect and I found it trying to hit this IP: 69.192.18.217

jesselvella

Just in case anyone needs this, here is a list of things to unblock for Apple services.

iTunes must be allowed to connect on port 80 and 443 to the following hostnames:
albert.apple.com
ax.itunes.apple.com
buy.itunes.com
deimos.apple.com
gs.apple.com
itunes.apple.com
metrics.apple.com
ocsp.apple.com
phobos.apple.com
su.itunes.apple.com
ax.su.itunesapple.com

Each of these hostnames have corresponding cnames on the edgesuite and akami networks that the customer should perform an NSLOOKUP to identify and authorize into their network.

Many hostnames have prefixed hostnames for load balancing. For example, phobos has many servers that are prefixed to it (i.e. a806.phobos.apple.com) and suffixes (i.e. a806.phobos.apple.com.suite.edge.net), as these servers load share for downloads.

There are also lookups to:
ocsp.verisign.net
evintl-ocsp.verisign.com
evsecure-ocsp.verisign.com

jesselvella

Correct! Apple uses various distribution services to offload many different types of services they run. I wonder if unblocked the URL string for Akamai works or not. I tried *.akamaitechnologies.com but who knows how many ranges they have.

If you have any more suggestions please let us know!

Thanks!

jpwilson

Seeing a similar issue. Our problem is that we are using device supervision and a private carrier APN. When using the carrier network it ignores our Global Proxy settings and tries to connect to the sites directly, bypassing our proxies.

On wireless it still uses the proxy though.

iOS 7 worked fine, just happening with iOS 8. Makes it impossible to install software unless in wireless range.

Jason

nicdai

Hello, we do ssl inspection and we have the same problem here. Some of our iPad work in ios 8.0.2 other don't. The one that don't work in our enterprise network work well over other connection (3g, lte).

I think that the appstore app use new url/port that we need to unlock. If somebody have the info other than the ip, I would like to know.

Thanks

JD

I have found a similar issue when Apple changed the range of Akamai hostnames it uses. Our whitelists no longer included all the servers returned via round robin so some installs would fail, some would succeed, with no way to predict the outcome.

JD

Further update from Apple,
They recently changed a SSL cert used to secure APNS to device communication.
Devices that get the new cert try to validate it by going out on port 80 to aia.entrust.net If your network blocks comms to that IP/host the device will not trust the new APNS and will fail the SSL handshake. It will try on 443, which again fails because the cert authenticity has not been verified.
That's it in a nutshell, it obviously affects people on secure networks that don't have free access to the internet.
And it appears to be fixed in 9.1, so you may see those devices work.
Hope this helps!